1. 首頁
  2. 問答
  3. 參數化SQL中的子查詢

參數化SQL中的子查詢

2014-12-19 104 views
3

我正在使用以下代碼向SQL表中添加一些泛化值。參數化SQL中的子查詢

'--Connect to datasource 
Dim SqlconnectionString As String = "server=inlt01\SQLEXPRESS; database=DaisyServices; integrated security=yes" 

'--Import selected file to Billing table and Master Services 
Dim strSql As String = "INSERT INTO [" + FileNameOnly + "] (Site,CLI,FromDate,ToDate,Quantity,UnitCost,TotalCost,[Description],[User],Department,Filenameonly,billingmonth) VALUES (@Site,@CLI,@FromDate,@ToDate,@Quantity,@UnitCost,@TotalCost,@Description,@User,@Department,@filenameonly,(SELECT (CASE SUBSTRING(@filenameonly,1,3)WHEN 'Jan' THEN 1 WHEN 'Feb' THEN 2 WHEN 'Mar' THEN 3 WHEN 'Apr' THEN 4 WHEN 'May' THEN 5 WHEN 'Jun' THEN 6 WHEN 'Jul' THEN 7 WHEN 'Aug' THEN 8 WHEN 'Sep' THEN 9 WHEN 'Oct' THEN 10 WHEN 'Nov' THEN 11 WHEN 'Dec' THEN 12 END))); INSERT INTO [DaisyServicesMaster] (Site,CLI,FromDate,ToDate,Quantity,UnitCost,TotalCost,[Description],[User],Department,filenameonly,billingmonth) VALUES (@Site,@CLI,@FromDate,@ToDate,@Quantity,@UnitCost,@TotalCost,@Description,@User,@Department,@filenameonly,(SELECT (CASE SUBSTRING(@filenameonly,1,3)WHEN 'Jan' THEN 1 WHEN 'Feb' THEN 2 WHEN 'Mar' THEN 3 WHEN 'Apr' THEN 4 WHEN 'May' THEN 5 WHEN 'Jun' THEN 6 WHEN 'Jul' THEN 7 WHEN 'Aug' THEN 8 WHEN 'Sep' THEN 9 WHEN 'Oct' THEN 10 WHEN 'Nov' THEN 11 WHEN 'Dec' THEN 12 END)))" 

     Using connection As New SqlClient.SqlConnection(SqlconnectionString) 

     Dim cmd As New SqlClient.SqlCommand(strSql, connection) ' create command objects and add parameters 
     With cmd.Parameters 
        .Add("@Site", SqlDbType.VarChar, 30, "Site") 
        .Add("@CLI", SqlDbType.VarChar, 30, "CLI") 
        .Add("@FromDate", SqlDbType.Date, 30, "FromDate") 
        .Add("@ToDate", SqlDbType.Date, 30, "ToDate") 
        .Add("@Quantity", SqlDbType.Int, 3, "Quantity") 
        .Add("@UnitCost", SqlDbType.Float, 5, "UnitCost") 
        .Add("@TotalCost", SqlDbType.Float, 5, "TotalCost") 
        .Add("@Description", SqlDbType.VarChar, 100, "Description") 
        .Add("@User", SqlDbType.VarChar, 30, "User") 
        .Add("@Department", SqlDbType.VarChar, 30, "Department") 
        .AddWithValue("@filenameonly", FileNameOnly) 

     End With

對於@CLI值我想用一個子查詢字符串

SELECT RIGHT(CLI, LEN(CLI) - 1)

如何我納入一個子查詢的第一個字符截斷了我的Paramitized SQL?

我比較新的VB編碼,所以如果你可以提供一些示例代碼,將不勝感激。

來源

2014-12-19 user3580480

+2

做,在VB和它當作一個額外的參數到您的SQL。由於您使用的是嵌入式SQL,因此沒有理由在sql中而不是在vb中執行此操作。使用vb:它更容易,更快,更清潔。 – Paolo 2014-12-19 10:56:04

回答

2

無法將代碼作爲參數傳遞。參數化查詢的目的是防止代碼通過參數傳遞,以防止SQL注入攻擊。

有兩種方法來實現你想要的結果:

  1. 作爲參數傳遞
  2. 參數已過去後,截斷值之前截斷值。

後者將意味着改變你的SQL代碼如下:您可以考慮使用的,而不是參數化查詢,把代碼放到一個存儲過程調用此存儲過程

Dim strSql As String = "INSERT INTO [" + FileNameOnly + "] (Site,CLI,FromDate,ToDate,Quantity,UnitCost,TotalCost,[Description],[User],Department,Filenameonly,billingmonth) VALUES (@Site,RIGHT(@CLI, LEN(@CLI) - 1),@FromDate,@ToDate,@Quantity,@UnitCost,@TotalCost,@Description,@User,@Department,@filenameonly,(SELECT (CASE SUBSTRING(@filenameonly,1,3)WHEN 'Jan' THEN 1 WHEN 'Feb' THEN 2 WHEN 'Mar' THEN 3 WHEN 'Apr' THEN 4 WHEN 'May' THEN 5 WHEN 'Jun' THEN 6 WHEN 'Jul' THEN 7 WHEN 'Aug' THEN 8 WHEN 'Sep' THEN 9 WHEN 'Oct' THEN 10 WHEN 'Nov' THEN 11 WHEN 'Dec' THEN 12 END))); INSERT INTO [DaisyServicesMaster] (Site,CLI,FromDate,ToDate,Quantity,UnitCost,TotalCost,[Description],[User],Department,filenameonly,billingmonth) VALUES (@Site,RIGHT(@CLI, LEN(@CLI) - 1),@FromDate,@ToDate,@Quantity,@UnitCost,@TotalCost,@Description,@User,@Department,@filenameonly,(SELECT (CASE SUBSTRING(@filenameonly,1,3)WHEN 'Jan' THEN 1 WHEN 'Feb' THEN 2 WHEN 'Mar' THEN 3 WHEN 'Apr' THEN 4 WHEN 'May' THEN 5 WHEN 'Jun' THEN 6 WHEN 'Jul' THEN 7 WHEN 'Aug' THEN 8 WHEN 'Sep' THEN 9 WHEN 'Oct' THEN 10 WHEN 'Nov' THEN 11 WHEN 'Dec' THEN 12 END)))"

一個選項帶參數。在數據庫應用程序中通常會有一組CRUD存儲過程 - 創建,讀取,更新,刪除。甚至還有腳本用於從表格結構中生成基本模板。這裏有一個例子:

http://www.sqlbook.com/SQL-Server/Auto-generate-CRUD-Stored-Procedures-40.aspx

來源

2014-12-19 11:13:43 SQLDiver

+1

非常感謝你,之後截斷完美:) – user3580480 2014-12-19 11:16:44

相關問題

 相關問題